The WebDetetive spyware has been used to compromise and steal mobile data from over 76,000 Android phones over the past few years.
Now, a group of anonymous hackers have exploited the program’s security flaws, breaking into its servers and gaining access to user databases – and they also claim to have wiped all the phones the software was used to spy on from the network, making it impossible to upload new data from them.
WebDetetive uses Portuguese as it’s language and was reportedly used primarily in Brazil, where it mapped and stored information about users. The anonymous group of hackers allegedly obtained a cache of more than 1.5 gigabytes of data from the spyware’s web panel with information about WebDetetive’s customers, their IP addresses and their purchase history.
“The data also listed every device that each customer had compromised, which version of the spyware the phone was running, and the types of data that the spyware was collecting from the victim’s phone”, TechCrunch writes.
They also managed to get into the dashboard and delete the victims’ devices from the spy network – which allegedly prevented the devices from continuing to upload new data.
According to the hackers, they did it “Because we could. Because #Fuckstalkerware”.
While the cache did not contain the stolen data from the victims’ phones, a review of the data shows that WebDetetive had compromised more than 76,000 phones at the time, and that the customer list contained almost as many unique email addresses. However, email addresses are not verified during registration, making it difficult to analyze the spyware’s customers.
WebDetetive is a type of phone monitoring app that is planted on a person’s device without their consent – often by someone who knows the phone’s password, according to TechCrunch.
Once planted, the app changes its icon on the phone’s home screen – making it difficult to detect and delete – and then begins uploading the phone’s content to its own servers. This includes messages, call logs, call recordings, photos, location data, social media content, and environmental recordings made by the phone’s microphone.
This “stalkerware” is also notorious for poor coding, often putting victims’ already stolen data at risk of falling into the wrong hands again.
WebDetetive’s founders don’t want to reveal their own identities, but according to TechCrunch, the program is effectively a repackaged copy of OwnSpy spyware – a program developed in Madrid by Antonio Calatrava and his company Mobile Innovations that has been around since 2010 or longer. They are working on a concept where third parties who promote their spy app to new customers receive a commission, with OwnSpy taking a cut of the profits.
Whether there are any operational links between OwnSpy and WebDetetive is unclear. Owner Antonio Calatrava declined to answer questions, but shortly after TechCrunch contacted him, parts of OwnSpy’s known infrastructure were taken offline.
How to find out if your phone is compromised
Both WebDetetive and OwnSpy hide their app on the home screen by masquerading as a Wi-Fi app. The app is displayed with the name "WiFi" and a white wireless icon in a blue circle on a white background. However, when you tap it and the app information appears, you can see that the app is actually called "Sistema". A more comprehensive guide to removing this type of spyware is available here.